From cce3c7ebb194e33a4cf267eb546bbdca14406ac2 Mon Sep 17 00:00:00 2001 From: Anders Kaseorg Date: Thu, 27 Mar 2025 02:03:19 -0700 Subject: [PATCH] realm_export: Restrict deletion to users in the same realm. This fixes CVE-2025-30368. Signed-off-by: Anders Kaseorg --- zerver/views/realm_export.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/zerver/views/realm_export.py b/zerver/views/realm_export.py index 81b71f6eba..2ead857448 100644 --- a/zerver/views/realm_export.py +++ b/zerver/views/realm_export.py @@ -136,7 +136,7 @@ def get_realm_exports(request: HttpRequest, user: UserProfile) -> HttpResponse: @require_realm_admin def delete_realm_export(request: HttpRequest, user: UserProfile, export_id: int) -> HttpResponse: try: - export_row = RealmExport.objects.get(id=export_id) + export_row = RealmExport.objects.get(realm_id=user.realm_id, id=export_id) except RealmExport.DoesNotExist: raise JsonableError(_("Invalid data export ID"))